“Health is now the number one target for ransomware around the world – more so than Finance, Retail, Transportation and Manufacturing,” says Liz Schoff, Security Consultant at healthAlliance. “The value of a health record on the dark web can be as much as USD $100, compared to just a few dollars for a black-market credit card number,” she adds. “The reason is when a credit card number or bank account number is compromised it can pretty quickly be shut down and not used again, but health information sticks with people forever,” she explains. “The value of stolen or ransomed health information remains the highest and that’s why we continue to get targeted the most,” she adds.
In today’s world you cannot run a hospital without computers. Patient information is held online, and computers are used to run various essential operations every day. “There have been instances where hospitals have been forced to pay when a cyber-criminal has managed to encrypt a hospital network and demand a ransom,” says Ms Schoff. “It is absolutely critical for us to make sure that all of our staff understand how to identify phishing emails and not have a behaviour that could lead to a compromise of our network,” she adds.
These behaviours could be clicking on links, giving away one’s credentials or downloading attachments that might have viruses. “Even though there are technologies to reduce risks by looking at attachments before they are downloaded, or by checking websites before you allow someone to visit them, cyber-criminals are always innovating and they’re getting smarter,” says Ms Schoff. “It’s really hard to have technology that’s 100% up to speed, so having an educated staff is absolutely the best defence a hospital can have,” she adds.
In recognising its increased potential for phishing attacks, healthAlliance began looking for solutions that could help it better manage the risk by training its employees to identify phishing emails. “We had heard that another district health board in New Zealand had run with Shearwater’s Phriendly Phishing software, so we touched base with them and asked about how it was working,” says Ms Schoff. “When another organisation in our sector successfully uses a solution, word gets around, and that gives us an immediate level of comfort that the product should also work for us,” she adds.
Phriendly Phishing is a Phishing Awareness and Simulation program designed to help organisations measure, track and improve their staff’s ability to identify and manage phishing and spear-phishing threats. Typically, up to 70 out of 100 employees would open a spear-phishing email, and 35 would click on the embedded link. The resulting ransomware can cause significant business disruption and costly remediation, not to mention reputational damage. With Phriendly Phishing, organisations get a fully managed, comprehensive and measurable training solution, with easyto-use tools that will help them to understand their organisation’s overall phishing risk profile, educate their staff, nurture awareness and prove successful behavioural change across their organisation.
Phriendly Phishing works in three simple stages:
MEASUREMENT: Baseline Audit
Starts with a simulated phishing campaign to determine your organisation’s overall phishing risk, and to establish a baseline for future improvement measurements.
IMPROVEMENT: Awareness Training
Delivered via the Internet; with tiers targeted at the beginner, intermediate and advanced levels, the training creates awareness of phishing threats and enables staff to develop phishing detection skills. Users start at the beginner level and work their way up.
REINFORCEMENT: Learning Reinforcement
To enhance the training concepts and incorporate them into the employee’s day-to-day reality, staff members will receive simulated phishing emails, varying in sophistication, at random intervals. This is designed to help fine tune detection skills. If users open any of the simulated emails on a link, they will be redirected to the portal for a training recap.
healthAlliance has been sending its monthly simulated phishing emails for more than 6 months and they are delighted with the results they are seeing across the organisation. “The Phriendly Phishing portal is a great tool and allows us to see specifically who’s recording scams, and more importantly identify the staff who continually click on the simulated links,” says Ms Schoff.
Hospitals are vulnerable because doctors and nurses are very busy people. Cyber criminals are also getting smart about the times they send their phishing emails, on or around shift changes. “When you’re busy it’s easy to forget and quickly look at your emails, open messages and click links because you’re rushed,” says Ms Schoff. “Our training programmes, which send simulated phishing emails every month, provide the platform for our people to get a regular reminder to keep sharp and alert to threats,” she adds.
When asked if healthAlliance believes it is a safer organisation because of the introduction of Phriendly Phishing by Shearwater Solutions, Ms Schoff is in no doubt. “We know that the behaviour across the organisation has improved because we can measure exactly how many people are recording our simulated links, and more importantly we have clear evidence our people are clicking less on dangerous links,” concludes Ms Schoff.